I’m currently evaluating SonarQube’s security module to detect vulnerabilities in our source code and ensure comprehensive codebase scanning across all projects.
I understand that SonarQube allows certain files and folders to be excluded from scans, which can help refine the analysis scope. However, from a security standpoint, this also introduces a risk where critical directories might be unintentionally omitted, potentially leaving vulnerabilities undetected.
To mitigate this risk, I’d appreciate your guidance on best practices for managing exclusions and ensuring thorough security scans including what recommendations should we provide to the development team to help them avoid this issue while using LOC capacity correctly. In addition to that:
Is there a way to enforce security scans across the entire codebase, even if teams have configured exclusions?
Does SonarQube provide an API endpoint to retrieve project settings, including scanned and excluded directories? If so, which API calls should we use?
Looking forward to your insights. Thanks in advance for your support!
If I have configured sonar.sources to src/sub/dir then I’ve implicitly excluded everything else.
Similarly, I could set sonar.sources to src, but then narrow it with sonar.inclusions=sub/dir, to the same effect.
We’ve always advised that analysis exclude libraries and other 3rd-party code, but adherence to setting sane analysis scope (both the base sonar.sources as well as inclusions / exclusions) can only be ensured with manual audits, I’m afraid.
More bad news, I’m afraid. While it’s possible to retrieve the settings stored on the server, the settings passed with analysis are not stored anywhere. So If I set sonar.sources=path/to/one/specific/file or sonar.exclusions=**/* on the analysis side, there’s nowhere to retrieve it from.
And I understand your concerns from security audit standpoint, so I’m going to raise this internally. Altho I wouldn’t hold my breath on this IIWY.
hi @alifathi-h1
If I understand correctly, you are currently evaluating SonarQube on the security side, meaning you are evaluating a commercial edition of SonarQube (can you confirm?).
In that case, you should have direct point of contact with a Solution Engineer on our end that will be able to setup a meeting with you to discuss these points deep in the details and ensure you are on a good path to lead the evaluation.
Let me know if this isn’t the case,
Have a nice day ahead,
Carine
